This post has been updated.
I once had the kind of experience that reminds you the future is both amazing and absurd: A Peruvian teenager stole my Netflix account. I found out about this when my wife called complaining she was locked out of my streaming account. When I requested a new password, I discovered the email had been changed. That means this brat had not only stolen my Netflix and wreaked havoc on my algorithm, but also breached the email connected to my account.
That address happened to be an old one I’d had since high school. Which made me think: Could I be sure this was a minor breach, and not a major security problem? Hackers might be using my email for other nefarious ends. I decided better safe than sorry and deleted my entire email address.
Although my instinct was good, I acted on impulse. And, because I failed to take a few simple steps before hitting delete, I ended up making a bad situation a thousand times worse. Here’s what I learned, so you don’t make the same mistakes.
Why your old email accounts may need to be deleted
Email addresses are a weak link in cybersecurity. So many things you do online is tied to one of your accounts. As a result, if a hacker can breach your email, they can quickly get into your photo storage, social media, shopping, gaming, streaming, and other accounts. After all, if you forget your password to one of these websites, you just click “Forgot password?” and the service sends it to your compromised inbox.
Even if you trust your provider, your email may be more vulnerable than you think. My old address happened to be a Yahoo! Email one, compromised in one of the high-profile leaks in the past few years, which together have revealed the personal data of millions of people. But I kept it around anyway: Since it had been my address for more than a decade, it still served as my login credential for almost everything I did online, from e-commerce to, yes, Netflix.
Aggravating the problem is that many people use the same handful of terrible passwords for multiple accounts. If you have the same code for your email and any other account, even if the string of letters and numbers seemed uncrackable in high school, it’s probably easy for hackers to find.
[Related: You should start using a password manager]
One way to solve this problem is to kill your old email address. It’s not the only way, of course; you can also change your password and enable two-factor authentication. But if you don’t use the email account, like in my case, or you’ve been planning to phase it out anyway, deletion is the best option.
That said, when I just deleted my old account without planning ahead, it quickly became a nightmare: I lost access to almost every account I had. While many web services have plans in place for just this contingency, some of my online life was lost for good. When you get rid of your compromised email, here’s how to do it the smart way.
Figure out what an old email address is attached to
Before you eliminate an old email, inventory the services—social media, gaming, video streaming, and so on—that rely on it as a login credential. Once you’ve created a list of your accounts, look up their policies on changing emails. For example, some sites will send you a verification link as soon as you enter your password and new email address. Others may require that you call and offer a form of identification they already have on file, such as a credit card or a driver’s license.
As a rule of thumb, the more secure the site has to be, the more bureaucratic hoops you can expect to jump through. That’s a good thing, as it helps prevent identity fraud.
This is also a good time to do a general house-cleaning of online accounts you don’t use. I wound up deleting several old shopping site accounts because changing my email address took more trouble than my membership was worth. Similarly, I don’t think many web-commenter accounts I made back in high school were worth preserving.
For extra protection, change your passwords as you go and install a vault program to remember them for you. Having a digital password manager saved me on a few occasions; it meant I could keep all my codes on hand despite the fact that I didn’t have my email. A keeper can also generate different secure passwords for each site so you don’t fall back on the insecure practice of recycling the same phrase over and over again.
[Related: How to get started using a password manager]
Finally, enable multi-factor authentication, also called two-factor authentication or 2FA, wherever you can. 2FA is the online equivalent of requiring two forms of ID. For example, if you forget your password, you might have to answer a security question and also use your phone to reply to a text. Enabling 2FA meant that, even though my email was dead, I had an avenue to get into my accounts.
Download your data from your out-of-use email accounts
Your inbox might contain attachments you’ll want to keep—things like vital financial documents and family photos. All major email providers offer a tool that will collect your emails, although putting together the full archive may take a few days. Google, for example, offers a tool called Takeout that will let you carry off literally everything.
Once that’s done, you should also download your full list of contacts so you can import them to your new email address later. Most email programs will allow you to download contacts as comma-separated values (CSV) files, which you can then upload to another account. That said, these tools usually only collect email addresses you’ve formally added to your address book, so if you rely on autofill, or have been talking to Aunt Cheryl through the same email thread for a decade, some addresses may not port over.
And don’t hesitate to go old-school. I managed to stay in touch with a few friends from college because, fortunately, I still had their emails on scraps of paper. I recommend a nice address book; it’s much cleaner.
Pick a new email provider
Often, we pick email services based on convenience. If you bought an Android phone, you might prefer Gmail because everything’s tied to that account. But if you’re concerned about Google’s policies, you don’t have to go back.
Secure email services like Tutanota—which uses end-to-end encryption to ensure only you and your friends see your messages—are increasingly popular. Another great option is called Hey. These providers often offer free or very cheap personal plans, usually about $1 to $3 per month, although Hey is $99 annually. And if none of that appeals? Build your own server.
After you’ve selected a service, it’s time to pick a new email address. Make it reflective of your old one, so people who only know you under that email can find you. For example, my “new” email address is actually just my old one on a different website (Gmail instead of Yahoo!). Especially with friends you’ve primarily met online, your old email might be the only place they can find you—and changing it to something similar can help you maintain those connections.
Once your new email is up and running, import those old contacts and send them an introductory email alerting them about the change. Or, if you don’t mind keeping your old email for about a month, use it to set up an “out of office” automatic message. This should tell contacts that you plan to shut down this account, when the kill date is, and the new address where they can reach you.
Delete the old email account
At last, you’re all ready to sunset your old email. How do you do it? The exact steps will depend on the provider.
For Gmail accounts, head to Google’s “Delete Services” page, which may require you to sign in. Then click the trash can icon next to Gmail; Google will walk you through the steps from there.
For Yahoo, follow these instructions, and take these steps to delete a Microsoft email address. However, with these providers, you cannot delete individual services like your email alone. Instead, you’ll have to delete your entire account, including any other subscriptions and ongoing services, such as Skype, that you might want to keep. It’s up to you whether you think that tradeoff is worth it.
This article was first published in 2018.